Report No. DODIG-2020-078: Audit Of Physical Security .

FOR OFFICIAL USE ONLYReport No. DODIG-2020-078I nspec tor Ge ne ralU.S. Department of DefenseAPRIL 6, 2020Audit of Physical Security Controlsat Department of Defense MedicalTreatment FacilitiesINTEGRITY INDEPENDENCE EXCELLENCEThe document contains information that may be exempt frommandatory disclosure under the Freedom of Information Act.FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLYFOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLYResults in BriefAudit of Physical Security Controls at Departmentof Defense Medical Treatment FacilitiesApril 6, 2020Background (cont’d)ObjectiveOn October 25, 2019, the Deputy Secretary of Defensedirected that the authority, direction, and control of MTFsin the continental United States, Alaska, Hawaii, andPuerto Rico transfer from the Military Departments tothe Defense Health Agency (DHA). The DHA entered intomemorandums of agreement with the Military Departments toensure efficient and effective MTF operations until the DHAreaches full operating capability. The DHA expects to be atfull operating capability for physical security functions byOctober 1, 2020.The objective of this audit was to determinewhether DoD medical treatment facilities (MTFs)implemented physical security controls toprevent unauthorized access to facilities,equipment, and sensitive areas.BackgroundSeveral past security incidents at DoDinstallations demonstrate the importanceof physical security controls to protectpersonnel and equipment at DoD facilities.For example, in January 2015, an Armyveteran shot and killed a Departmentof Veteran’s Affairs psychologist on thegrounds of William Beaumont Army MedicalCenter at Fort Bliss, Texas. In addition toinsider threats, MTFs can also be subjectto criminal acts such as theft. The U.S. DrugEnforcement Agency reported that in 2018there were 647 armed robberies ofcontrolled substances from U.S. pharmacies.Moreover, the Occupational Safety andHealth Administration reported that therate of serious workplace violence incidentson average was four times greater for healthcare workers than in private industry.(FOUO) In 2019, the GovernmentAccountability Office reported that DoDinstallations were not monitoring thepersonnel access control system foraccess to DoD installations,FindingWe determined that DoD MTFs generally implemented physicalsecurity controls, as required by DoD Instruction 5200.08,“Security of DoD Installations and Resources and theDoD Physical Security Review Board” December 10, 2005,incorporating Change 3, Effective November 20, 2015.However, we also determined that security weaknesses existed.We visited eight MTFs and found that all had implementedlocal physical security measures. However, we identifiedsecurity weaknesses at all of the eight MTFs that could allowunauthorized access to DoD MTFs and controlled or restrictedareas within the MTFs. Specifically: Personnel at six of the eight MTFs had access torestricted areas, such as pharmacies, when they werenot authorized access to those areas, because MTFstaff did not update access control systems and therewas no requirement for them to do so. For example,we determined that three unauthorized personnelat a major medical center used a badge to access thenarcotics vault. Personnel did not limit access to only authorizedpersonnel for a community-based clinic and did notassess the risk of unauthorized personnel entering thecommunity-based clinic, as required by DoD guidance,because security personnel concluded that an accesscontrol point was unnecessary. However, staff at theclinic stated that unauthorized personnel had accessedFOR OFFICIAL USE ONLYDODIG-2020-078 (Project No. D2019-D000AW-0136.000) i

FOR OFFICIAL USE ONLYResults in BriefAudit of Physical Security Controls at Departmentof Defense Medical Treatment FacilitiesFinding (cont’d)the clinic in the past. Without an access controlpoint, an unauthorized individual can enter theclinic and proceed to sensitive areas, such as thepha rols, immediately conduct assessmentsof all generator facilities and fuel storage tanks, andprovide the DHA with the baseline level of protectionfor all community-based clinics. These proposedactions resolve all of the recommendations. We willclose the recommendations when the DHA providesdocumentation to support these actions. Please see theRecommendations Table on the next page for the statusof recommendations.FOR OFFICIAL USE ONLYDODIG-2020-078 (Project No. D2019-D000AW-0136.000) iii

FOR OFFICIAL USE ONLYRecommendations TableRecommendations Recommendations irector, Defense Health AgencyNone1.a, 1.b, 1.c, 1.d,1.e, 1.f, 1.gNoneNote: The following categories are used to describe agency management’s comments to individual recommendations. Unresolved – Management has not agreed to implement the recommendation or has not proposed actions thatwill address the recommendation. Resolved – Management agreed to implement the recommendation or has proposed actions that will address theunderlying finding that generated the recommendation. Closed – OIG verified that the agreed upon corrective actions were implemented.FOR OFFICIAL USE ONLYiv DODIG-2020-078 (Project No. D2019-D000AW-0136.000)

FOR OFFICIAL USE ONLYINSPECTOR GENERALDEPARTMENT OF DEFENSE4800 MARK CENTER DRIVEALEXANDRIA, VIRGINIA 22350-1500April 6, 2020MEMORANDUM FOR DIRECTOR, DEFENSE HEALTH AGENCYSUBJECT: Audit of Physical Security Controls at Department of DefenseMedical Treatment Facilities (Report No. DODIG-2020-078)This final report provides the results of the DoD Office of Inspector General’s audit.We previously provided copies of the draft report and requested written comments onthe recommendations. We considered management’s comments on the draft report whenpreparing the final report. These comments are included in the report.The Defense Health Agency agreed to address all the recommendations presented in thereport; therefore, the recommendations are considered resolved and open. As described inthe Recommendations, Management Comments, and Our Response section of this report, therecommendations may be closed when we receive adequate documentation showing thatall agreed-upon actions to implement the recommendations have been completed. Therefore,please provide us within 90 days your response concerning specific actions in process orcompleted on the recommendations. Your response should be sent to either followup@dodig.milif unclassified or rfunet@dodig.smil.mil if classified SECRET.If you have any questions, please contact me at.Theresa S. HullAssistant Inspector General for AuditAcquisition, Contracting, and SustainmentFOR OFFICIAL USE ONLYDODIG-2020-078 v

FOR OFFICIAL USE ONLYFOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLYContentsIntroductionObjective. 1Background. 1Review of Internal Controls. 3Finding. DoD Medical Treatment FacilitiesImplemented Physical Security Controls,but Weaknesses Existed. 4DoD Medical Treatment Facilities Implemented Physical Security Controls,but Weaknesses Existed. 5Conclusion .10Recommendations, Management Comments, and Our Response. . 11AppendixScope and Methodology. .14Use of Computer-Processed Data. 15Prior Coverage. 15Management CommentsDHA Comments to Draft Report.16Acronyms and Abbreviations. . 20FOR OFFICIAL USE ONLYDODIG-2020-078 vii

FOR OFFICIAL USE ONLYFOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLYIntroductionIntroductionObjectiveThe objective of this audit was to determine whether DoD medical treatmentfacilities (MTFs) implemented physical security controls to prevent unauthorizedaccess to facilities, equipment, and sensitive areas. See the Appendix for our scopeand methodology.BackgroundSecurity Threats to DoD PersonnelSeveral past security incidents at DoD installations demonstrate the importanceof physical security controls to protect personnel and equipment at DoD facilities.For example, in January 2015, an Army veteran shot and killed a Department ofVeteran’s Affairs psychologist on the grounds of William Beaumont Army MedicalCenter at Fort Bliss, Texas. The Occupational Safety and Health Administrationhas reported that the rate of serious workplace violence incidents was four timesgreater for health care workers than in private industry on average.1 The U.S. DrugEnforcement Agency reported that in 2018 there were 647 armed robberies ofcontrolled substances from U.S. pharmacies.(FOUO) In 2019, the Government Accountability Office (GAO) reported that DoDinstallations were not monitoring the physical access control system for access toDoD installations,. 2 The physical access control system uses data that is updatedevery 24 hours to allow security personnel to determine whether to permitindividuals access to DoD installations. The GAO concluded that the installationsdid not have the data necessary to evaluate the effectiveness of the system1The Occupational Safety and Health Administration defines workplace violence as violent acts, including physicalassaults and threats of assault, directed toward persons at work or on duty.2Report No. GAO-19-316SU, “DoD Installations: Monitoring the Use of Physical Access Control Systems Could ReduceRisks to Personnel and Assets,” May 31, 2019.FOR OFFICIAL USE ONLYDODIG-2020-078 1

FOR OFFICIAL USE ONLYIntroductionRequirements for Physical SecurityDoD Instruction 5200.08, “Security of DoD Installations and Resources and theDoD Physical Security Review Board,” December 10, 2005, incorporating Change 3,Effective November 20, 2015, requires commanders to prepare and enforce securityorders and regulations to ensure the proper safeguarding of personnel, facilities,and property from loss, destruction, espionage, terrorism, or sabotage.The Interagency Security Committee is a collaborative group that providesleadership to the nonmilitary Federal community supporting physical securityprograms that are comprehensive and risk based. The Interagency SecurityCommittee mandate is to enhance the quality and effectiveness of security in andprotection of buildings and nonmilitary Federal facilities.“The Risk Management Process for Federal Facilities: An Interagency SecurityCommittee Standard, 2nd Edition,” November 2016, defines the criteria andprocesses that those responsible for the security of a facility should use todetermine facility security level, and provides an integrated, single source ofphysical security countermeasures for all Federal facilities. In December 2012,the DoD voluntarily and officially adopted this standard for all off-installationleased facilities.Defense Health Agency TransitionIn 2016, Congress expanded the role of the Defense Health Agency (DHA) bydirecting the transfer of responsibility for the administration of all MTFs fromthe Military Departments to the DHA by October 1, 2018. The National DefenseAuthorization Act for Fiscal Year 2019 extended the date for the transfer toSeptember 30, 2021, using a phased approach. However, the transition planfor MTFs in the United States was modified from a four-phase approach to anaccelerated transition. On October 25, 2019, the Deputy Secretary of Defensedirected that the authority, direction, and control of MTFs in the continentalUnited States, Alaska, Hawaii, and Puerto Rico transfer from the MilitaryDepartments to the DHA. The DHA entered into memorandums of agreement withthe Military Departments to ensure efficient and effective MTF operations untilthe DHA reaches full operating capability. The DHA expects to be at full operatingcapability for physical security functions by October 1, 2020.The 450 MTFs transferring to the DHA include different types of medical facilitiesthat provide different levels of service. For example, the DoD operates majormedical centers that sometimes serve as trauma centers in communities for bothmilitary and civilian patients. Clinics are the smallest medical facilities and aresometimes located off an installation in leased office space.FOR OFFICIAL USE ONLY2 DODIG-2020-078